topic Re: process tracking and auditing in Operating System - Linux

process tracking and auditing

Maaz — Sun, 07 May 2006 13:11:06 GMT

Dear Gurus
OS: rhel 4

how can initiallize the /var/log/wtmp ? that is i have check it via last command, and now I want that all old info will be de delete .. ?

how to enable auditing on a file/folder ? say I wana audit/track who has access the /secret directory

Regards
Maaz

Re: process tracking and auditing

Manuel Wolfshant — Sun, 07 May 2006 19:12:24 GMT

wtmp is automatically created/maintained/used. The command "last" will only read from this file. The file is part of the log rotate process, the previous version can be found as wtmp.1. In order to use it, you have to pass it as parameter to the command "last", as in
last -f /var/log/wtmp.1

In order to audit the access, the standard way in RHEL is by using the auditd daemon. You should start by installing the "audit" package (audit-1.0.12-1.EL4 is the most current version at the time) and reading the man pages of auditd. After that, adjust /etc/auditd.conf, /etc/audit.rules per your needs and use the various audit* utilities to monitor access.

Re: process tracking and auditing

Mike Stroyan — Mon, 08 May 2006 10:22:03 GMT

The logrotate setting for /var/log/wtmp is in /etc/logrotate.conf. It is unusual in that it is handled in the toplevel config file instead of a specific file under /etc/logrotate.d. The config for /var/log/wtmp sets it aside once a month, then creates a new empty file with 0664 permissions, user root, group utmp. You could do that manually with-
# mv /var/log/wtmp /var/log/wtmp.1
# touch /var/log/wtmp
# chmod 0664 /var/log/wtmp
# chown root:wtmp /var/log/wtmp

Re: process tracking and auditing

Maaz — Fri, 12 May 2006 13:59:13 GMT

i turned on the process account via
#accton /var/account/pacct

then issued some command and check it via
#lastcomm --user maaz
OK
but after a very short time
#tail -f /var/log/messages
May 12 22:36:53 system1 kernel: Process accounting paused
#lastcomm --user maaz, only shoes old command, that is new command are not shown by lastcomm output

plz help
Regards
Maaz

Re: process tracking and auditing

Maaz — Fri, 26 May 2006 14:25:57 GMT

/var is almost full. I found that if /var is near to full then kenel process tracking will aoutomatically paused.
I move /var to biger/larger partition.. and its DONE ;)

Re: process tracking and auditing

Manuel Wolfshant — Fri, 26 May 2006 16:15:42 GMT

Wrong approach, maaz. you should make sure that the files auditd writes to do never exceed a certain limited size. You can do that with the help of /etc/audit.conf + the logrotate cron job.
You should also setup size limits for all other logs. You should use /etc/logrotate.conf for that. Do not be shy but creative and add your own scripts to /etc/logrotate.d